Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: incompatibility with Trust Settings in CA certificate #31881

Open
kruftik opened this issue May 7, 2019 · 4 comments
Open

crypto/tls: incompatibility with Trust Settings in CA certificate #31881

kruftik opened this issue May 7, 2019 · 4 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@kruftik
Copy link

kruftik commented May 7, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12.4 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

golang:latest @ docker

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build114266566=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Standard crypto/tls library is incompatible with CA certificates (either root or intermediate one) when they contain Trust Settings (https://www.openssl.org/docs/manmaster/man1/x509.html#TRUST_SETTINGS):

$ openssl -in rootCA.crt -text -noout
...
No Trusted Uses.
No Rejected Uses.
Alias: XXX
...

Since widely used MS AD-based CAs DO have such Settings in their certs, it is hard to use encrypted connections in golang programms in such environments.

What did you expect to see?

The successfull TLS-handshake.

What did you see instead?

In our case server's cert is issued by intermediate CA which is issued by root CA and server.crt contains server's cert followed by the intermediate CA's one.

In the case when the Trust Settings are present in the intermediate's cert, tls-negotiation fails with the following errors:
client.go:40: tls: failed to parse certificate from server: asn1: syntax error: trailing data
server.go:55: remote error: tls: bad certificate

If only the root's cert contains the Settings, the errors are slightly different:
client.go:40: x509: certificate signed by unknown authority
server.go:55: remote error: tls: bad certificate

(Example client&server apps are available at https://github.com/kruftik/go-tls-vs-windows-ad-ca, build.sh prepares binaries)

Once the Settings are being stripped from both root and intermedia CA certs with the openssl x509 -in rootCA.crt -out rootCA.clean.crt command, the problem is going away.

@andybons
Copy link
Member

andybons commented May 8, 2019

@FiloSottile

@andybons andybons added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 8, 2019
@andybons andybons added this to the Unplanned milestone May 8, 2019
@dmitshur dmitshur changed the title crypt/tls: incompatibility with Trust Settings in CA certificate crypto/tls: incompatibility with Trust Settings in CA certificate Jul 19, 2019
@Asgoret
Copy link

Asgoret commented Apr 29, 2020

@andybons @dmitshur hi! Any news? :)

@andybons
Copy link
Member

andybons commented Apr 30, 2020

@katiehockman

@buger
Copy link

buger commented Jul 12, 2021

Experiencing similar issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants